Install the Trust Protection Foundation MMC Snap-In Collection

NOTE  This procedure provides instructions on installing the Trust Protection Foundation MMC Snap-In Collection. The snap-in collection can be installed on any Windows workstation, thereby allowing administrators to perform management tasks without having to be signed in to the Trust Protection Foundation server.

In order to complete this procedure, you'll need the following information:

  • URL of the Trust Protection Foundation SDK endpoint

    If the default engine settings are used, this is: https://[server]/vedsdk/

  • URL of the Trust Protection Foundation authentication endpoint

    If the default engine settings are used, this is: https://[server]/vedauth/

  • Valid user credentials to the Trust Protection Foundation server and access to use the snap-ins.

    While users may have access to view the snap-in, they must also have rights to see the data. For example, the Recycle Bin snap-in can be added by anybody, but the contents of the recycle bin can only be seen by a master administrator.

  • API access granted to the user.

    The snap-in collection utilizes CyberArk's API, so to use the snap-ins, your user account needs API access. This is covered in the next section.

  • Authentication method information.

    You can log in using your Trust Protection Foundation user name and password, or you can use Windows Integrated Authentication (if itself has been configured to use Windows Authentication). Please review the following topics for information on configuring to use Windows Integrated Authentication:

The Snap-In Collection requires the following:

  • .NET 4.7.2
  • Windows 8.1 or later or Windows Server 2016 or later

Grant access to the snap-ins

In order to use the MMC snap-ins, a master admin must grant access to them. The relevant Application Names for the snap-ins in the MMC snap-in collection are:

  • CyberArk Code Signing Administration

  • CyberArk Configuration Console

  • Events

  • Statistics

  • Recycle Bin

  • CyberArk Access Management

  • CyberArk Message Bus

  • CyberArk Tools

To use the any of the MMC snap-ins, users must be given access by an administrator. To grant access, use the Integrations page in the Platform product.

  1. Sign in to Trust Protection Foundation, and click API > Integrations in the menu bar.

    TIP  Use the filter to search for MMC to see all the snap-ins.

  2. Click the name of the snap-in you're granting access to.
  3. Click User or team access.
  4. In the User or team box, enter the name of the user or team you want to grant access to.
  5. Click Add.
  6. Click Save.

Once users have access, they can install and configure the snap-in.

After access is granted to use the snap-ins, return to this topic and follow the steps below to load them in the MMC.

Download and install the Trust Protection Foundation MMC Snap-In Collection

  1. Download the RemoteMmc-25.3.msi installation file.
  2. Run the installation file. The Trust Protection Foundation MMC Snap-In Collection Setup wizard opens. Click Next.
  3. Accept the end-user license agreement and click Next.
  4. Select the location where you want the Remote MMC snap-in installed. Click Next.
  5. Click Install. The installation takes place. Click Finish.

Add the Snap-Ins to the MMC

DID YOU KNOW?  You can have snap-ins for multiple servers, allowing you to easily manage a complete cluster of Trust Protection Foundation servers, as well as servers in lower (development, test, etc.) environments.

Additionally, since identities cannot see identities from other identity providers (local admins cannot see identities managed by Active Directory, for example), you can add multiple instances of the same snap-in for the same Trust Protection Foundation server, but with different user credentials. This allows you to manage users from multiple identity providers, or even see the rights and permissions granted to users within the same identity provider, but with different roles.

  1. On the Windows computer where you want to run the snap-in, open the MMC console.

    You can do this by pressing Windows+R and typing mmc in the Open box. Click OK, and then click Yes in the User Account Control window.

  2. Click File > Add/Remove Snap-In.

  3. From the Available snap-ins list, locate the snap-ins. For each snap-in that you want to add, follow the instructions below:

    You must have a valid access grant to use the Code Signing snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Code Signing snap-in, and then click Add.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Click OK.The snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the Events snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Events snap-in, and then click Add.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Click Connect. After connecting, you will see Channel and Result Limit.

    The Channel drop-down shows all configured SQL channels that log event data. Select the one you would like to view data from.

    The Result Limit drop-down is the default limit that will be used for any retrieved records, if a custom view does not specify a limit. For example, if you select 50,000 and a query has more than 50,000 results, only the 50,000 newest events will be returned and displayed.

    Click OK.The snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the Statistics snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Statistics snap-in, and then click Add.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Click OK.The snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the CyberArk Configuration snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the CyberArk Configuration snap-in, and then click Add.

    Please note that users must have the Master Admin role to see the contents of the CyberArk Configuration snap-in.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Remember, you will only see content in this node if you have the Master Admin role.

    Click OK.The CyberArk Configuration Console snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the Recycle Bin snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Recycle Bin snap-in, and then click Add.

    Please note that users must have the Master Admin role or the Recycle Bin Admin role to see the contents of the Recycle Bin snap-in.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Remember, you will only see content in this node if you have the Master Admin role or the Recycle Bin Admin role.

    Click OK.The Recycle Bin snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the Access Management snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Access Management snap-in, and then click Add.

    Please note that users must have the Master Admin role to see the contents of the Access Management snap-in.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Remember, you will only see content in this node if you have the Master Admin role.

    Click OK.The Access Management snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the Venafi Bus Management snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Venafi Bus Management snap-in, and then click Add.

    Please note that users must have the Master Admin role or the Recycle Bin Admin role to see the contents of the Recycle Bin snap-in.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Remember, you will only see content in this node if you have the Master Admin role or the Recycle Bin Admin role.

    Click OK.The Message Bus snap-in is added to the Selected snap-ins list.

    You must have a valid access grant to use the Tools snap-in prior to completing these steps. See Grant access to the snap-ins.

    Select the Tools snap-in, and then click Add.

    Please note that users must have the Master Admin role to see the contents of the Tools snap-in.

    In the CyberArk Selection dialog, enter the following:

    • Title: Enter a title for this connection.

      This will be used as the root node of the snap-in. Since you can have more than one Trust Protection Foundation instance, you should give it something that helps you know which Trust Protection Foundation instance this item is connected to.

    • Host URL: URL of the Trust Protection Foundation SDK server.

      If you haven't modified the engine's default settings, the format is https://[trust-protection-foundation-server]/vedsdk/.

    • Auth URL: URL of the authentication Trust Protection Foundation server.

      If you haven't modified the engine's default settings, the format is: https://[trust-protection-foundation-server]/vedauth/.

      Correct format is https://[server URL]/vedauth/.

    • Method: Select the method of authentication.

      • Select Credentials if you want to log in with the user name and password you use to access Trust Protection Foundation.

      • Select Integrated Authentication if you want to use Windows Authentication.

    • Username and Password: If you are using the Credential method, enter the user name and password you use to access Trust Protection Foundation. If you are using the Integrated Authentication method, these fields are disabled.

    Remember, you will only see content in this node if you have the Master Admin role.

    Click OK.The Tools snap-in is added to the Selected snap-ins list.

  4. Click OK.

Saving the Snap-In view

Once the snap-in is loaded, you can save your view for quicker access in the future. In the MMC, click File > Save. Choose a name and location for your .msc file, and click Save. Double-clicking the .msc file opens the MMC with the snap-in already loaded.